Current processors may provide support for a trusted execution environment such as a secure enclave. Secure enclaves include segments of memory (including code and/or data) protected by the processor from unauthorized access including unauthorized reads and writes. In particular, certain processors may include Intel® Software Guard Extensions (SGX) to provide secure enclave support. SGX provides confidentiality, integrity, and replay-protection to the secure enclave data while the data is resident in the platform memory and thus provides protection against both software and hardware attacks. The on-chip boundary forms a natural security boundary, where data and code may be stored in plaintext and assumed to be secure. The contents of an SGX secure enclave may be authenticated and therefore trusted by the independent software vendor (ISV) that provides the secure enclave. However, an SGX enclave may be capable of reading and/or writing to regular process memory and thus may not be trusted by the hosting application process or operating system.
Certain operating systems may support sandboxing for native object code. For example, Google® Native Client (NaCl) provides a mechanism for executing native object code in an isolated sandbox provided by a web browser. To ensure isolation, NaCl imposes strict limitations on the operations allowed to be performed by the native object code. In additional, NaCl does not permit code to execute within an SGX secure enclave.